[mirror_frr.git] / doc / user / nhrpd.rst

.. _nhrp:

****
NHRP
****

*nhrpd* is an implementation of the :abbr:`NHRP (Next Hop Routing Protocol)`.
NHRP is described in :rfc:`2332`.

NHRP is used to improve the efficiency of routing computer network traffic over
:abbr:`NBMA (Non-Broadcast, Multiple Access)` networks. NHRP provides an
ARP-like solution that allows a system to dynamically learn the NBMA address of
the other systems that are part of that network, allowing these systems to
directly communicate without requiring traffic to use an intermediate hop.

NHRP is a client-server protocol. The server side is called the :abbr:`NHS
(Next Hop Server)` or the hub, while a client is referred to as the :abbr:`NHC
(Next Hop Client)` or the spoke. When a node is configured as an NHC, it
registers its address with the NHS which keeps track of all registered spokes.
An NHC client can then query the addresses of other clients from NHS allowing
all spokes to communicate directly with each other.

Cisco Dynamic Multipoint VPN (DMVPN) is based on NHRP, and |PACKAGE_NAME| nhrpd
implements this scenario.

.. _routing-design:

Routing Design
==============

nhrpd never handles routing of prefixes itself. You need to run some
real routing protocol (e.g. BGP) to advertise routes over the tunnels.
What nhrpd does it establishes 'shortcut routes' that optimizes the
routing protocol to avoid going through extra nodes in NBMA GRE mesh.

nhrpd does route NHRP domain addresses individually using per-host prefixes.
This is similar to Cisco FlexVPN; but in contrast to opennhrp which uses
a generic subnet route.

To create NBMA GRE tunnel you might use the following (Linux terminal
commands):

.. code-block:: console

   ip tunnel add gre1 mode gre key 42 ttl 64
   ip addr add 10.255.255.2/32 dev gre1
   ip link set gre1 up


Note that the IP-address is assigned as host prefix to gre1. nhrpd will
automatically create additional host routes pointing to gre1 when
a connection with these hosts is established.

The gre1 subnet prefix should be announced by routing protocol from the
hub nodes (e.g. BGP 'network' announce). This allows the routing protocol
to decide which is the closest hub and determine the relay hub on prefix
basis when direct tunnel is not established.

nhrpd will redistribute directly connected neighbors to zebra. Within
hub nodes, these routes should be internally redistributed using some
routing protocol (e.g. iBGP) to allow hubs to be able to relay all traffic.

This can be achieved in hubs with the following bgp configuration (network
command defines the GRE subnet):

.. code-block:: frr

  router bgp 65555
   address-family ipv4 unicast
     network 172.16.0.0/16
     redistribute nhrp
   exit-address-family


.. _configuring-nhrp:

Configuring NHRP
================

.. index::  ip nhrp holdtime (1-65000)
.. clicmd:: ip nhrp holdtime (1-65000)

   Holdtime is the number of seconds that have to pass before stopping to
   advertise an NHRP NBMA address as valid. It also controls how often NHRP
   registration requests are sent. By default registrations are sent every one
   third of the holdtime.

.. index::  ip nhrp map A.B.C.D|X:X::X:X A.B.C.D|local
.. clicmd:: ip nhrp map A.B.C.D|X:X::X:X A.B.C.D|local

   Map an IP address of a station to the station's NBMA address.

.. index::  ip nhrp network-id (1-4294967295)
.. clicmd:: ip nhrp network-id (1-4294967295)

   Enable NHRP on this interface and set the interface's network ID.  The
   network ID is used to allow creating multiple nhrp domains on a router when
   multiple interfaces are configured on the router.  Interfaces configured
   with the same ID are part of the same logical NBMA network. The ID is a
   local only parameter and is not sent to other NHRP nodes and so IDs on
   different nodes do not need to match. When NHRP packets are received on an
   interface they are assigned to the local NHRP domain for that interface.

.. index::  ip nhrp nhs A.B.C.D nbma A.B.C.D|FQDN
.. clicmd:: ip nhrp nhs A.B.C.D nbma A.B.C.D|FQDN

   Configure the Next Hop Server address and its NBMA address.

.. index::  ip nhrp nhs dynamic nbma A.B.C.D
.. clicmd:: ip nhrp nhs dynamic nbma A.B.C.D

   Configure the Next Hop Server to have a dynamic address and set its NBMA
   address.

.. index::  ip nhrp registration no-unique
.. clicmd:: ip nhrp registration no-unique

   Allow the client to not set the unique flag in the NHRP packets. This is
   useful when a station has a dynamic IP address that could change over time.

.. index::  ip nhrp shortcut
.. clicmd:: ip nhrp shortcut

   Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to each others
   directly after establishing a connection without going through the hub.

.. index::  ip nhrp mtu
.. clicmd:: ip nhrp mtu

   Configure NHRP advertised MTU.


.. _hub-functionality:

Hub Functionality
=================

In addition to routing nhrp redistributed host prefixes, the hub nodes
are also responsible to send NHRP Traffic Indication messages that
trigger creation of the shortcut tunnels.

nhrpd sends Traffic Indication messages based on network traffic captured
using NFLOG. Typically you want to send Traffic Indications for network
traffic that is routed from gre1 back to gre1 in rate limited manner.
This can be achieved with the following iptables rule.

.. code-block:: shell

   iptables -A FORWARD -i gre1 -o gre1 \\
       -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\
       --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\
       --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128


You can fine tune the src/dstmask according to the prefix lengths you announce
internal, add additional IP range matches, or rate limitation if needed.
However, the above should be good in most cases.

This kernel NFLOG target's nflog-group is configured in global nhrp config
with:

.. index::  nhrp nflog-group (1-65535)
.. clicmd:: nhrp nflog-group (1-65535)

To start sending these traffic notices out from hubs, use the nhrp
per-interface directive:

.. index::  ip nhrp redirect
.. clicmd:: ip nhrp redirect

This enable redirect replies on the NHS similar to ICMP redirects except this
is managed by the nhrp protocol. This setting allows spokes to communicate with
each others directly.

.. _integration-with-ike:

Integration with IKE
====================

nhrpd needs tight integration with IKE daemon for various reasons.
Currently only strongSwan is supported as IKE daemon.

nhrpd connects to strongSwan using VICI protocol based on UNIX socket which
can be configured using the command below (default to /var/run/charon.vici).

strongSwan currently needs few patches applied. Please check out the
original patches at:
https://git-old.alpinelinux.org/user/tteras/strongswan/

Actively maintained patches are also available at:
https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/strongswan

.. _nhrp-events:

NHRP Events
===========

.. index::  nhrp event socket SOCKET
.. clicmd:: nhrp event socket SOCKET

   Configure the Unix path for the event socket.

.. _show-nhrp:

Show  NHRP
==========

.. index::  show [ip|ipv6] nhrp cache [json]
.. clicmd:: show [ip|ipv6] nhrp cache [json]

   Dump the cache entries.

.. index::  show [ip|ipv6] nhrp opennhrp [json]
.. clicmd:: show [ip|ipv6] nhrp opennhrp [json]

   Dump the cache entries with opennhrp format.

.. index::  show [ip|ipv6] nhrp nhs [json]
.. clicmd:: show [ip|ipv6] nhrp nhs [json]

   Dump the hub context.

.. index::  show dmvpn [json]
.. clicmd:: show dmvpn [json]

   Dump the security contexts.

Configuration Example
=====================

.. figure:: ../figures/fig_dmvpn_topologies.png
   :alt: image

   image

IPSec configurration example
----------------------------

This changes required on all nodes as HUB and Spokes.

ipsec.conf file

.. code-block:: shell

  config setup
  conn dmvpn
      authby=secret
      auto=add
      keyexchange=ikev2
      ike=aes256-aes256-sha256-modp2048
      esp=aes256-aes256-sha256-modp2048
      dpdaction=clear
      dpddelay=300s
      left=%any
      leftid=%any
      right=%any
      rightid=%any
      leftprotoport=gre
      rightprotoport=gre
      type=transport
      keyingtries=%forever

ipsec.secrets file

.. code-block:: shell

  %any : PSK "some_s3cret!"


HUB configuration example
-------------------------

Creating gre interface

.. code-block:: console

   ip tunnel add gre1 mode gre key 42 ttl 64
   ip addr add 10.0.0.254/32 dev gre1
   ip link set gre1 up

Adding iptables rules to provide possibility shortcut tunnels and connect spokes directly

.. code-block:: shell

   iptables -A FORWARD -i gre1 -o gre1 \\
       -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\
       --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\
       --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128

FRR config on HUB

.. code-block:: frr

  nhrp nflog-group 1
  !
  interface gre1
   description DMVPN Tunnel Interface
   ip address 10.0.0.254/32
   ip nhrp network-id 1
   ip nhrp redirect
   ip nhrp registration no-unique
   ip nhrp shortcut
   tunnel protection vici profile dmvpn
   tunnel source eth0
   !
   router bgp 65000
    bgp router-id 10.0.0.254
    no bgp ebgp-requires-policy
    neighbor SPOKES peer-group
    neighbor SPOKES disable-connected-check
    neighbor 10.0.0.1 remote-as 65001
    neighbor 10.0.0.1 peer-group SPOKES
    neighbor 10.0.0.2 remote-as 65002
    neighbor 10.0.0.2 peer-group SPOKES
    neighbor 10.0.0.3 remote-as 65003
    neighbor 10.0.0.3 peer-group SPOKES
    !
    address-family ipv4 unicast
     network 172.16.0.0/24
     redistribute nhrp
    exit-address-family

Spoke1 configuration
--------------------

Creating gre interface

.. code-block:: console

   ip tunnel add gre1 mode gre key 42 ttl 64
   ip addr add 10.0.0.1/32 dev gre1
   ip link set gre1 up


FRR config on Spoke1

.. code-block:: frr

  interface gre1
   description DMVPN Tunnel Interface
   ip address 10.0.0.1/32
   ip nhrp network-id 1
   ip nhrp nhs dynamic nbma 198.51.100.1
   ip nhrp redirect
   ip nhrp registration no-unique
   ip nhrp shortcut
   no link-detect
   tunnel protection vici profile dmvpn
   tunnel source eth0
  !
  router bgp 65001
   no bgp ebgp-requires-policy
   neighbor 10.0.0.254 remote-as 65000
   neighbor 10.0.0.254 disable-connected-check
   !
   address-family ipv4 unicast
    network 172.16.1.0/24
   exit-address-family


Spoke2 configuration
--------------------

Creating gre interface

.. code-block:: console

   ip tunnel add gre1 mode gre key 42 ttl 64
   ip addr add 10.0.0.1/32 dev gre1
   ip link set gre1 up

FRR config on Spoke2

.. code-block:: frr

  interface gre1
   description DMVPN Tunnel Interface
   ip address 10.0.0.2/32
   ip nhrp network-id 1
   ip nhrp nhs dynamic nbma 198.51.100.1
   ip nhrp redirect
   ip nhrp registration no-unique
   ip nhrp shortcut
   no link-detect
   tunnel protection vici profile dmvpn
   tunnel source eth0
  !
  router bgp 65002
   no bgp ebgp-requires-policy
   neighbor 10.0.0.254 remote-as 65000
   neighbor 10.0.0.254 disable-connected-check
   !
   address-family ipv4 unicast
    network 172.16.2.0/24
   exit-address-family


Spoke3 configuration
--------------------

Creating gre interface

.. code-block:: console

   ip tunnel add gre1 mode gre key 42 ttl 64
   ip addr add 10.0.0.3/32 dev gre1
   ip link set gre1 up

FRR config on Spoke3

.. code-block:: frr

  interface gre1
   description DMVPN Tunnel Interface
   ip address 10.0.0.3/32
   ip nhrp network-id 1
   ip nhrp nhs dynamic nbma 198.51.100.1
   ip nhrp redirect
   ip nhrp registration no-unique
   ip nhrp shortcut
   no link-detect
   tunnel protection vici profile dmvpn
   tunnel source eth0
  !
  router bgp 65003
   no bgp ebgp-requires-policy
   neighbor 10.0.0.254 remote-as 65000
   neighbor 10.0.0.254 disable-connected-check
   !
   address-family ipv4 unicast
    network 172.16.3.0/24
   exit-address-family
Commit	Line	Data
0efdf0fe	1	.. _nhrp:
caba6093	2
42fc5d26 QY	3	****
	4	NHRP
	5	****
	6
68edc5ff JAG	7	nhrpd is an implementation of the :abbr:`NHRP (Next Hop Routing Protocol)`.
68edc5ff JAG	8	NHRP is described in :rfc:`2332`.
caba6093	9
c1a54c05 QY	10	NHRP is used to improve the efficiency of routing computer network traffic over
	11	:abbr:`NBMA (Non-Broadcast, Multiple Access)` networks. NHRP provides an
	12	ARP-like solution that allows a system to dynamically learn the NBMA address of
	13	the other systems that are part of that network, allowing these systems to
	14	directly communicate without requiring traffic to use an intermediate hop.
caba6093	15
68edc5ff JAG	16	NHRP is a client-server protocol. The server side is called the :abbr:`NHS
	17	(Next Hop Server)` or the hub, while a client is referred to as the :abbr:`NHC
	18	(Next Hop Client)` or the spoke. When a node is configured as an NHC, it
	19	registers its address with the NHS which keeps track of all registered spokes.
	20	An NHC client can then query the addresses of other clients from NHS allowing
	21	all spokes to communicate directly with each other.
	22
c1a54c05 QY	23	Cisco Dynamic Multipoint VPN (DMVPN) is based on NHRP, and \|PACKAGE_NAME\| nhrpd
c1a54c05 QY	24	implements this scenario.
caba6093	25
0efdf0fe	26	.. _routing-design:
caba6093	27
42fc5d26 QY	28	Routing Design
42fc5d26 QY	29	==============
caba6093 TT	30
	31	nhrpd never handles routing of prefixes itself. You need to run some
	32	real routing protocol (e.g. BGP) to advertise routes over the tunnels.
	33	What nhrpd does it establishes 'shortcut routes' that optimizes the
	34	routing protocol to avoid going through extra nodes in NBMA GRE mesh.
	35
	36	nhrpd does route NHRP domain addresses individually using per-host prefixes.
	37	This is similar to Cisco FlexVPN; but in contrast to opennhrp which uses
	38	a generic subnet route.
	39
c1a54c05	40	To create NBMA GRE tunnel you might use the following (Linux terminal
68edc5ff JAG	41	commands):
	42
	43	.. code-block:: console
42fc5d26	44
42fc5d26 QY	45	ip tunnel add gre1 mode gre key 42 ttl 64
	46	ip addr add 10.255.255.2/32 dev gre1
	47	ip link set gre1 up
a8c90e15	48
caba6093 TT	49
	50	Note that the IP-address is assigned as host prefix to gre1. nhrpd will
	51	automatically create additional host routes pointing to gre1 when
	52	a connection with these hosts is established.
	53
	54	The gre1 subnet prefix should be announced by routing protocol from the
	55	hub nodes (e.g. BGP 'network' announce). This allows the routing protocol
	56	to decide which is the closest hub and determine the relay hub on prefix
	57	basis when direct tunnel is not established.
	58
	59	nhrpd will redistribute directly connected neighbors to zebra. Within
	60	hub nodes, these routes should be internally redistributed using some
	61	routing protocol (e.g. iBGP) to allow hubs to be able to relay all traffic.
	62
	63	This can be achieved in hubs with the following bgp configuration (network
9eb95b3b QY	64	command defines the GRE subnet):
	65
	66	.. code-block:: frr
42fc5d26	67
42fc5d26 QY	68	router bgp 65555
	69	address-family ipv4 unicast
	70	network 172.16.0.0/16
	71	redistribute nhrp
	72	exit-address-family
a8c90e15	73
caba6093	74
0efdf0fe	75	.. _configuring-nhrp:
caba6093	76
42fc5d26 QY	77	Configuring NHRP
42fc5d26 QY	78	================
caba6093	79
68edc5ff JAG	80	.. index:: ip nhrp holdtime (1-65000)
	81	.. clicmd:: ip nhrp holdtime (1-65000)
	82
	83	Holdtime is the number of seconds that have to pass before stopping to
	84	advertise an NHRP NBMA address as valid. It also controls how often NHRP
	85	registration requests are sent. By default registrations are sent every one
	86	third of the holdtime.
	87
	88	.. index:: ip nhrp map A.B.C.D\|X:X::X:X A.B.C.D\|local
	89	.. clicmd:: ip nhrp map A.B.C.D\|X:X::X:X A.B.C.D\|local
	90
	91	Map an IP address of a station to the station's NBMA address.
	92
	93	.. index:: ip nhrp network-id (1-4294967295)
	94	.. clicmd:: ip nhrp network-id (1-4294967295)
	95
	96	Enable NHRP on this interface and set the interface's network ID. The
	97	network ID is used to allow creating multiple nhrp domains on a router when
	98	multiple interfaces are configured on the router. Interfaces configured
	99	with the same ID are part of the same logical NBMA network. The ID is a
	100	local only parameter and is not sent to other NHRP nodes and so IDs on
	101	different nodes do not need to match. When NHRP packets are received on an
	102	interface they are assigned to the local NHRP domain for that interface.
	103
	104	.. index:: ip nhrp nhs A.B.C.D nbma A.B.C.D\|FQDN
	105	.. clicmd:: ip nhrp nhs A.B.C.D nbma A.B.C.D\|FQDN
	106
	107	Configure the Next Hop Server address and its NBMA address.
	108
	109	.. index:: ip nhrp nhs dynamic nbma A.B.C.D
	110	.. clicmd:: ip nhrp nhs dynamic nbma A.B.C.D
	111
	112	Configure the Next Hop Server to have a dynamic address and set its NBMA
	113	address.
	114
	115	.. index:: ip nhrp registration no-unique
	116	.. clicmd:: ip nhrp registration no-unique
	117
	118	Allow the client to not set the unique flag in the NHRP packets. This is
	119	useful when a station has a dynamic IP address that could change over time.
	120
	121	.. index:: ip nhrp shortcut
	122	.. clicmd:: ip nhrp shortcut
	123
	124	Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to each others
	125	directly after establishing a connection without going through the hub.
	126
	127	.. index:: ip nhrp mtu
	128	.. clicmd:: ip nhrp mtu
	129
	130	Configure NHRP advertised MTU.
	131
caba6093	132
0efdf0fe	133	.. _hub-functionality:
42fc5d26 QY	134
	135	Hub Functionality
	136	=================
caba6093 TT	137
	138	In addition to routing nhrp redistributed host prefixes, the hub nodes
	139	are also responsible to send NHRP Traffic Indication messages that
	140	trigger creation of the shortcut tunnels.
	141
	142	nhrpd sends Traffic Indication messages based on network traffic captured
	143	using NFLOG. Typically you want to send Traffic Indications for network
	144	traffic that is routed from gre1 back to gre1 in rate limited manner.
	145	This can be achieved with the following iptables rule.
	146
9eb95b3b	147	.. code-block:: shell
42fc5d26	148
9eb95b3b QY	149	iptables -A FORWARD -i gre1 -o gre1 \\
	150	-m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\
	151	--hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\
	152	--hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128
a8c90e15	153
caba6093	154
68edc5ff JAG	155	You can fine tune the src/dstmask according to the prefix lengths you announce
	156	internal, add additional IP range matches, or rate limitation if needed.
	157	However, the above should be good in most cases.
caba6093 TT	158
caba6093 TT	159	This kernel NFLOG target's nflog-group is configured in global nhrp config
9eb95b3b QY	160	with:
9eb95b3b QY	161
68edc5ff JAG	162	.. index:: nhrp nflog-group (1-65535)
68edc5ff JAG	163	.. clicmd:: nhrp nflog-group (1-65535)
a8c90e15	164
caba6093	165	To start sending these traffic notices out from hubs, use the nhrp
9eb95b3b QY	166	per-interface directive:
9eb95b3b QY	167
68edc5ff JAG	168	.. index:: ip nhrp redirect
68edc5ff JAG	169	.. clicmd:: ip nhrp redirect
42fc5d26	170
68edc5ff JAG	171	This enable redirect replies on the NHS similar to ICMP redirects except this
	172	is managed by the nhrp protocol. This setting allows spokes to communicate with
	173	each others directly.
a8c90e15	174
0efdf0fe	175	.. _integration-with-ike:
caba6093	176
42fc5d26 QY	177	Integration with IKE
42fc5d26 QY	178	====================
caba6093 TT	179
	180	nhrpd needs tight integration with IKE daemon for various reasons.
	181	Currently only strongSwan is supported as IKE daemon.
	182
37e6bd4e JAG	183	nhrpd connects to strongSwan using VICI protocol based on UNIX socket which
37e6bd4e JAG	184	can be configured using the command below (default to /var/run/charon.vici).
caba6093 TT	185
caba6093 TT	186	strongSwan currently needs few patches applied. Please check out the
37e6bd4e JAG	187	original patches at:
	188	https://git-old.alpinelinux.org/user/tteras/strongswan/
	189
	190	Actively maintained patches are also available at:
	191	https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/strongswan
caba6093	192
0efdf0fe	193	.. _nhrp-events:
42fc5d26 QY	194
	195	NHRP Events
	196	===========
caba6093	197
68edc5ff JAG	198	.. index:: nhrp event socket SOCKET
	199	.. clicmd:: nhrp event socket SOCKET
	200
	201	Configure the Unix path for the event socket.
caba6093	202
25901edd PG	203	.. _show-nhrp:
	204
	205	Show NHRP
	206	==========
	207
	208	.. index:: show [ip\|ipv6] nhrp cache [json]
	209	.. clicmd:: show [ip\|ipv6] nhrp cache [json]
	210
	211	Dump the cache entries.
	212
	213	.. index:: show [ip\|ipv6] nhrp opennhrp [json]
	214	.. clicmd:: show [ip\|ipv6] nhrp opennhrp [json]
	215
	216	Dump the cache entries with opennhrp format.
	217
	218	.. index:: show [ip\|ipv6] nhrp nhs [json]
	219	.. clicmd:: show [ip\|ipv6] nhrp nhs [json]
	220
	221	Dump the hub context.
	222
	223	.. index:: show dmvpn [json]
	224	.. clicmd:: show dmvpn [json]
	225
	226	Dump the security contexts.
	227
42fc5d26 QY	228	Configuration Example
42fc5d26 QY	229	=====================
caba6093	230
9d6abd3c D	231	.. figure:: ../figures/fig_dmvpn_topologies.png
	232	:alt: image
	233
	234	image
	235
	236	IPSec configurration example
	237	----------------------------
	238
	239	This changes required on all nodes as HUB and Spokes.
	240
	241	ipsec.conf file
	242
	243	.. code-block:: shell
	244
	245	config setup
	246	conn dmvpn
	247	authby=secret
	248	auto=add
	249	keyexchange=ikev2
	250	ike=aes256-aes256-sha256-modp2048
	251	esp=aes256-aes256-sha256-modp2048
	252	dpdaction=clear
	253	dpddelay=300s
	254	left=%any
	255	leftid=%any
	256	right=%any
	257	rightid=%any
	258	leftprotoport=gre
	259	rightprotoport=gre
	260	type=transport
	261	keyingtries=%forever
	262
	263	ipsec.secrets file
	264
	265	.. code-block:: shell
	266
	267	%any : PSK "some_s3cret!"
	268
	269
	270	HUB configuration example
	271	-------------------------
	272
	273	Creating gre interface
	274
	275	.. code-block:: console
	276
	277	ip tunnel add gre1 mode gre key 42 ttl 64
	278	ip addr add 10.0.0.254/32 dev gre1
	279	ip link set gre1 up
	280
	281	Adding iptables rules to provide possibility shortcut tunnels and connect spokes directly
	282
	283	.. code-block:: shell
	284
	285	iptables -A FORWARD -i gre1 -o gre1 \\
	286	-m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\
	287	--hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\
	288	--hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128
	289
	290	FRR config on HUB
	291
	292	.. code-block:: frr
	293
	294	nhrp nflog-group 1
295	!
296	interface gre1
297	description DMVPN Tunnel Interface
298	ip address 10.0.0.254/32
299	ip nhrp network-id 1
300	ip nhrp redirect
301	ip nhrp registration no-unique
302	ip nhrp shortcut
303	tunnel protection vici profile dmvpn
304	tunnel source eth0
305	!
306	router bgp 65000
307	bgp router-id 10.0.0.254
308	no bgp ebgp-requires-policy
309	neighbor SPOKES peer-group
310	neighbor SPOKES disable-connected-check
311	neighbor 10.0.0.1 remote-as 65001
312	neighbor 10.0.0.1 peer-group SPOKES
313	neighbor 10.0.0.2 remote-as 65002
314	neighbor 10.0.0.2 peer-group SPOKES
315	neighbor 10.0.0.3 remote-as 65003
316	neighbor 10.0.0.3 peer-group SPOKES
317	!
318	address-family ipv4 unicast
319	network 172.16.0.0/24
320	redistribute nhrp
321	exit-address-family
322
323	Spoke1 configuration
324	--------------------
325
326	Creating gre interface
327
328	.. code-block:: console
329
330	ip tunnel add gre1 mode gre key 42 ttl 64
331	ip addr add 10.0.0.1/32 dev gre1
332	ip link set gre1 up
333
334
335	FRR config on Spoke1
336
337	.. code-block:: frr
338
339	interface gre1
340	description DMVPN Tunnel Interface
341	ip address 10.0.0.1/32
342	ip nhrp network-id 1
343	ip nhrp nhs dynamic nbma 198.51.100.1
344	ip nhrp redirect
345	ip nhrp registration no-unique
346	ip nhrp shortcut
347	no link-detect
348	tunnel protection vici profile dmvpn
349	tunnel source eth0
350	!
351	router bgp 65001
352	no bgp ebgp-requires-policy
353	neighbor 10.0.0.254 remote-as 65000
354	neighbor 10.0.0.254 disable-connected-check
355	!
356	address-family ipv4 unicast
357	network 172.16.1.0/24
358	exit-address-family
359
360
361	Spoke2 configuration
362	--------------------
363
364	Creating gre interface
365
366	.. code-block:: console
367
368	ip tunnel add gre1 mode gre key 42 ttl 64
369	ip addr add 10.0.0.1/32 dev gre1
370	ip link set gre1 up
371
372	FRR config on Spoke2
373
374	.. code-block:: frr
375
376	interface gre1
377	description DMVPN Tunnel Interface
378	ip address 10.0.0.2/32
379	ip nhrp network-id 1
380	ip nhrp nhs dynamic nbma 198.51.100.1
381	ip nhrp redirect
382	ip nhrp registration no-unique
383	ip nhrp shortcut
384	no link-detect
385	tunnel protection vici profile dmvpn
386	tunnel source eth0
387	!
388	router bgp 65002
389	no bgp ebgp-requires-policy
390	neighbor 10.0.0.254 remote-as 65000
391	neighbor 10.0.0.254 disable-connected-check
392	!
393	address-family ipv4 unicast
394	network 172.16.2.0/24
395	exit-address-family
396
397
398	Spoke3 configuration
399	--------------------
400
401	Creating gre interface
402
403	.. code-block:: console
404
405	ip tunnel add gre1 mode gre key 42 ttl 64
406	ip addr add 10.0.0.3/32 dev gre1
407	ip link set gre1 up
408
409	FRR config on Spoke3
410
411	.. code-block:: frr
412
413	interface gre1
414	description DMVPN Tunnel Interface
415	ip address 10.0.0.3/32
416	ip nhrp network-id 1
417	ip nhrp nhs dynamic nbma 198.51.100.1
418	ip nhrp redirect
419	ip nhrp registration no-unique
420	ip nhrp shortcut
421	no link-detect
422	tunnel protection vici profile dmvpn
423	tunnel source eth0
424	!
425	router bgp 65003
426	no bgp ebgp-requires-policy
427	neighbor 10.0.0.254 remote-as 65000
428	neighbor 10.0.0.254 disable-connected-check
429	!
430	address-family ipv4 unicast
431	network 172.16.3.0/24
432	exit-address-family
42fc5d26	433